Friday, December 11, 2015

For whatever reason the cluster-maps widget began todistribute ads via their feed.As I have strong no-ads policy here, I was forced to deleteit. Thats a bit unfortunate as I really liked it andit was a cool widget to see where visitors came from.Wrong move!

If anyone knows how I could disable the ads w/odisabling the entire cluster-maps widget or knows aboutan ad-free alternative to it, please leave me a comment.

Thursday, December 10, 2015

o deniable personas: opmsg now supports OTR-style messages that are signed and integrity protected but still deniable so your peer cannot proof you wrote a certain message. Nothing in the message format changes and you can use deniable messages as any other ones. Please check the README about this topic.o Its now possible to specify more than one -E target persona to support Cc/Bcc of emails. Please note the slight mutt config changes: '%r' vs. %r if you are going to use Cc (also checkREADME).

Thursday, December 3, 2015

We at opmsg team take security very serious. Really.So at times we end up digging in underlying libs whichwe use, to understand entropy and key generation.Since we take security so serious (really), we are very Naziabout entropy. If we find anything that might be an issueor could be an issue if used in certain environments,we take all necessary actions to protect you.So this time we inform you, our valued customer, thatusage of libressl in certain Linux environments couldbe dangerous with regard to key generation. In nestedcontainer environments (cloud!) the state of the PRNGmay be cloned and there is nothing you, our valuedcustomer, can do about it via the libcrypto API.Thats why we, who take security very serious, informedthe libressl team and proposed a solution.PoC and solution may be found here. Please note thatthis is different from the CLONE_PID issue in pastwhich allowed for reuse of pids but is no longer possibleon recent Linux kernels.Beside that, opmsg team acknowledges time and effort libressldevelopers invest into the project and found libresslcode clean and mature. We continue supporting and recommenduse of libressl in opmsg.

Thursday, November 19, 2015

Pushed some more changes to libusipp git: o 802.11 stuff for better frame handling (wanna chat about wireless firmware exploits? Come talk to me [1] :) o No longer needing libdnet for ARP objects, which means that ARP and EAPOL is now also available on OSX. So since now you as well bypass your favorite 802.1x Switch-Nazi with your oh so cool iShit[1] Me also interested in any patches already existing to use the radiotap pflags channel element for TX (e.g. setting TX channel per packet. the channel flag only seems to notify about RX channel for captured packets and is ignored for transmission?).I know: the libusipp API is not very stable, but I dont mind.All my github projects requiring libusipp properly build withlatest pull.

Friday, October 23, 2015

Ported libusi++ to OSX. While doing so it was necessaryto lowercase all the enums like IPPROTO_UDP as the Xcodecompiler also tries to expand the enums (unlike gcc).And as macro definitions pollute the global namespacefrom either netinet/in.h or dnet, this was necessary. Its muchcleaner code now and also works with -pedantic.While porting libusi++ to OSX, it was therefore necessaryto adjust some of the other code to reflect lowercaseenums, such as QI. Also polished QI to work against theDarwin TCP stack, so its now possible to QUANTUM INSERTinto Safari. Seems like the Darwin TCP stack requires nonzeroTCP window and Safari ACKed GET requests before acceptingthe (injected) reply.After all TCP/IP stacks evolve over time and theres enoughrelaxing space in the RFCs to break INSERT tools by smallsemantic changes in the TCP stacks (sometimes called fingerprinting). So dont expect QI as-isto work in 10 years. Interesting to see that such quite simpletechnique still contains some pitfalls.All in all that was fun with lost packets. Tomorrow bikingto lost places to shoot some nice pictures of lost sofas. :)

Thursday, September 17, 2015

Recently tested opmsg against G's fork of OpenSSL, named BoringSSL.Thats more of a smoke test rather than a recommendedsetup. BoringSSL is downstripped and does not providecertain algorithms like ripmed or blowfish. It isalso missing the brainpool EC curves. It also doesnot offer the CFB modes for any of their block cipheralgorithms. Some functions for EC-POINT conversions havehad to be re-implemented. After that, it cleanly buildswith BoringSSL.If you know what you are doing (e.g. not using anymissing mentioned algorithms or modes from above)AND you dont have peers that use brainpool EC curves,you may use opmsg linked against BoringSSL.The main reason for G was most likely to be upperhand for new algorithms like ChaCha20 from DJB whichis optimized for (embedded) software such as onsmartphone SoC's which are missing native crypto instructions like AES-NI. So they dont need to wait for other projectsto add support for it.Yet, its still not feasible for me to add ChaCha20to opmsg as standard OpenSSL is not yet supporting it.If you have a short link to the OpenSSL project, ask themto add ChaCha20+Poly1305 to master (its already in aspecial fork) :)

Thursday, September 10, 2015

opmsg has received some attention recently thanks to Philand his PGP de-setup. Some people checked the protocoland there have not been any major fuckups so far.Thanks to the people involved in the discussions.The new version:o Introduces version=2 messages which also hash src-id and dst-id in the KDF to derive the session-key which prevents theoretically possible evil-maid adaptive choosen ciphertext attacks (that should never happen in practise as failed decrypted messages will just be ignored and not be reported back to the sender several thousand times). version=2 must be configured in the config.o Adds the possibility to restrict kex-id usage (upon decrypt) to the dedicated peer (this will detect/avoid cross-persona references of kex-id's). peer_isolation=1 in the config which is off by default.o persona self-linking to implement deniable, yet still properly signed/verified, messages. See the README.Its all inter-operable so pulling the git doesnt breakanything, except 5E's GPG brute-force cluster. :)version=2 will be made default once enough time passedso that most folks pulled the git meanwhile and supportfor it is widely available.I'd also like to add some of the new ciphers like chacha20 but it seems only LibreSSL has got them so far. This would render messages unreadable for recipients which link against OpenSSL.

Monday, July 6, 2015

EC persona support has been added to opmsg.The benefit is that generation of EC personas may be donewithin milli seconds. So the threshold of throwing awaypersonas or to generate new ones for each contact hasalmost lowered to zero. It all works transparently tothe user who just needs to use --newecp instead of --newpwhen creating a new persona. Instead of DH Kex, opmsgtransparently uses ECDH Kex in that case. As all groupparameters are within the pubkey blob, this does not requirefor DH parameters such as in the RSA case.For the ECC algos, the Brainpool curves are used whichare standartized by RFC 5639 which explain how the groupparameters were selected, unlike for the potentiallybackdoored NIST curves.

Thursday, June 25, 2015

As can be read here, its known since quite some time that theCPU is emitting frequencies upon operation which containsenough "signature" so that crypto keys may berecovered. This happens namely during RSA decryptionand signing operations. As this is a public paper usingpublic available SDRs and thinking 20years ahead, theresgood chance that there are setups today with antennas and sufficient DSP computing power that may recover keys from a far larger distance than just the mentioned 50cm.What does that mean for opmsg?

In the new version (1.3), I enabled RSA-blinding during decryption and signing. During "normal operation" due to the DH keys in use, there should be no attack surface. In the worst casethe attacker just recovers the private half of the DH key ofhis own specially crafted message.Further, opmsg verifies integrity of the sender before any decryption so you cant decrypt specially crafted messages (as required in the paper) from strangers who hope to capturesignals once the message is processed.Its already recommended (and easy to setup) to use a dedicated persona for each peer. If you follow that guideline, evenw/o RSA blinding the attacker can just decrypt his own messages.What else is new? o The use of RSA-fallback mode can now be seen in output o it is possible to --burn keys (only use once)

Thursday, May 21, 2015

Now, that the TURMOIL slides make sense, I adjusted my ownprojects. The good news is that I always used to generateunique DH params (I wonder so many ppl apparently didnt -there is no real benefit to use hard coded values, except to Eve!?)in my projects during or before build. So it should bequite hard for a Nation State Adversary to break that.For lophttpd and crashd, I removed 512 and 1024 bit DH paramssupport and use 2048bit instead. opmsg always supported2048bit (and higher), but the default was 1024. So I changedthe default to 2048 bit. Existing personas can be "upgraded" byusing the --newdhp switch. I was thinking this switchmay just be used in rare cases, but now it turns out itwas the right decision to design opmsg protocol with easyDH params re-creation in mind. SUCCESS! DH keys that arealready "in flight" cant be upgraded, but may be usedas before (taking the 'weaker' 1024bit into account) evenafter upgrading to 2048bit DH params.Unfortunally, 2048bit keys come at the cost of a longer keygeneration process. This may take a couple of minutes.If thats too much for you, you are free to change your defaultDH params len to 1892 or whatever your level of secrecydemands.

Thursday, May 7, 2015

Given the recent crypto discussion, mass surveillance andcyber jokes in general, I uploaded a new project to my github.It was about time.I wonder whether our gov is equally toast/bad in other fields,or if I just get pointed to it because I have some backgroundin this field and am blind to all the other failures whereI am missing the knowledge. (SIGILL//NOPORN)Update:The first review round is over and it seems like opmsgconcept found some friends. I got some recommendationswhich were incorporated in the git. Thats new:- fixing insufficient hashing of persona key to detect tampering of RSA keys during transit/import (RSA's e value was simply not part of the hash and it now is)- removing OFB cipher modes in favor of CTR and GCM modes (AES)- adding option to allow linking of personas (see README)- adding cygwin supportIt is incredibly hard to review your own code; so thanks tomyself. While I buy the OFB arguments, I am not sure if itsa benefit to add ECC support for personas. ECC is mostly basedon curves with parameters chosen by NIST. The same NIST that issuspected of putting backdoors in crypto standards(slides), even more in standards that use ECC to generaterandomness! Knowing this, why should I trust any parameters chosen by them? You can argue that suite-B, the NSA approved standards for protecting US gov infra, is unlikely to contain backdoors for themself and that this would be a tough bluffto do so just to read Putin's email. But given the additionalimplementation cost (maybe I should crowdfund it?) forlittle benefit or even "badfit" this seems not worth the effort.

Thursday, April 23, 2015

Is someone C++11 guru enough to make a statement whetherthe following C++11 code is correct? In particular onwhats happening on line 24, as the lambda should notharvest the memory structures (scope?).To me, everything looks OK. If thats the case, it would easea lot of cleanup routines on error returns from functions.Please leave a comment.Sample C++ code

Thursday, January 8, 2015

In the last post I promised to stop threat analyzing. So hereis some dev again which I already started developing backin 2014 and where I finally found some time to finish.Its a small U2F stack with the APDU framing code basedon Googles U2F reference code. After reviewing a lot of otherU2F code (sigh!), I found this reference code comprehensive enough to be usable for myself and for PAM code.It also builds on Darwin, but I didnt have time to test itthere.